TID-407: Missing Message Replay Protection

Threat Description

Threat actors may be able to replay a message to a device to cause an unwanted function, send an unwanted command, or gain access to privileged data. Message replaying can be used to bypass non-existant or poorly designed authentication mechanisms lacking proper protections, such as a nonce or timestamp.

Threat Maturity and Evidence

Observed Adversary Technique
ATT&CK T0887 Wireless Sniffing
“In the Dallas Siren incident, adversaries were able to send command messages to activate tornado alarm systems across the city without an impending tornado or other disaster.”

“In Dallas’ case, there are a number of ways that the attack could have been carried out, but the most likely is that someone carried out a “radio replay” attack, which involves recording the radio signal that was broadcast during the latest monthly test of the emergency siren system and playing it back repeatedly on Friday, according to Bastille, a security firm specializing in finding and remediating radio frequency vulnerabilities.”

CWE

CWE-294: Authentication Bypass by Capture-replay (Base)
“A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).”

CVE

Schneider Electric Modicon Modbus Protocol - CVE-2017-6034
“Sensitive information is transmitted in cleartext in the Modicon Modbus protocol, which may allow an attacker to replay the following commands: run, stop, upload, and download.”

Sierra Wireless AirLink Raven X EV-DO Vulnerabilities - CVE-2013-2820
“The AirLink Raven X EV-DO is vulnerable to replay attacks that bypass authentication. By sending a series of crafted packets to Port 17336/UDP and Port 17388/UDP, an attacker could reprogram the device’s firmware image. This could allow the attacker to affect the availability of the firmware.”